CN112667766A - Method and system for fusing network threat information metadata - Google Patents
Method and system for fusing network threat information metadata Download PDFInfo
- Publication number
- CN112667766A CN112667766A CN202011562097.7A CN202011562097A CN112667766A CN 112667766 A CN112667766 A CN 112667766A CN 202011562097 A CN202011562097 A CN 202011562097A CN 112667766 A CN112667766 A CN 112667766A
- Authority
- CN
- China
- Prior art keywords
- metadata
- network threat
- threat intelligence
- data
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000013507 mapping Methods 0.000 claims abstract description 18
- 238000004422 calculation algorithm Methods 0.000 claims description 45
- 230000004927 fusion Effects 0.000 claims description 38
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 238000007500 overflow downdraw method Methods 0.000 abstract description 4
- 238000004364 calculation method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 239000011159 matrix material Substances 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000011160 research Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention designs a network threat intelligence metadata fusion method and a system, which are used for solving multi-source heterogeneous network threat intelligence conflict. The method comprises the following steps: the unstructured network threat information data is converted into structured network threat information; mapping of structured network threat intelligence data with metadata; splitting network threat information metadata; fusing network threat information metadata; and providing the fused metadata to a network security threat intelligence analyst for use in the form of an interface through a customized output template. By the method and the system, the network threat report data can be fused in a finer-grained manner, and the fused result can be automatically configured.
Description
Technical Field
The invention relates to the field of computer network security, which can be used in the field of fusion or conflict resolution of network threat intelligence metadata.
Background
Threat intelligence is evidence-based knowledge, mainly including scenarios, mechanisms, indicators, meanings, operational suggestions, and the like. Based on high-quality threat intelligence information, decision support can be provided for the main body to respond to the existing or emerging threats. Metadata is defined as data that describes data, descriptive information for data and information resources. Cyber threat intelligence metadata refers to data describing cyber threat intelligence data. The network threat intelligence data is also normalized or described for processing, analysis, and interfacing with other vendors or platforms. The corresponding entities are defined with reference to international standards, OpenIOC, IODEF (inclusion Object removal and Exchange Format), stix (structure thread Information express), and actual traffic requirements. In order to achieve the purpose of fusion, these entities need to be mapped into metadata types, and in combination with an actual application scenario, there are nineteen types of finally mapped metadata types, which are ip (ip), url (url), Sample, Domain name, Whois (Domain name registration information), AS (global autonomous Domain information), Cert (digital certificate), Vul (vulnerability), mailbox reputation, Account, Other observable, Tool, TTP (attack technique), Actor (threat subject), Target (threat Target), identity (security event), Report (threat Report), and Action (countermeasure).
Currently, with the continuous development of cyber-space defense and countermeasure technology, attacks aiming at important information systems are numerous and difficult to find, attack strategies of attackers present the characteristics of diversity and complexity, the attack cost is lower and lower, for defenders, the difficulty of detecting and resisting cyber attacks is higher and higher, and the cyber-space security threat of the whole world is more and more prominent and severe. In this case, using traditional cyberspace defense strategies becomes less efficient and defenders are more likely to be in passive positions. Therefore, the cooperation linkage of various key and novel protection technologies is needed to know and discover each other, discover in time and defend actively, and the acquisition of high-quality network threat information data is very important to the problem, and the network security threat information utilization and sharing technology is appeared and developed to enable the promotion of global network space security protection to be more possible.
Network security threat intelligence utilization and sharing technology effectively maps entities of heterogeneous threat intelligence through a rapid convergence and fusion technology of multisource heterogeneous network threat intelligence data, analyzes and mines similarity of network threats on multiple layers, further statistically analyzes known attack modes, and finds ongoing or potential threats through mode association; by constructing the multi-source heterogeneous network threat information fusion system, high-quality information is obtained, and deep, extensive and targeted important information support is provided for active defenses of risk early warning, threat discovery, tracing and the like of an important information system, so that the active defenses and network deterrence capacity of the whole network security space are improved. However, in practical problems, network threat intelligence data obtained from a network space is often multi-source heterogeneous, data volume levels are often large, conflicts exist among data, and an analysis framework for constructing network threat intelligence information fusion is a research foundation of a network threat intelligence analysis processing technology. Therefore, the method is very valuable for research and system construction of the multisource heterogeneous network space threat intelligence fusion technology.
At present, in the field of network threat intelligence fusion, a more mainstream mode is to perform intelligence data fusion based on the forms of rules, field mapping, templates, manual work and the like, the fusion granularity of the fusion methods is coarser, and the output of the fused result is not flexible.
Disclosure of Invention
Aiming at the current situation and the existing problems, the invention provides a network threat information metadata fusion system and seven fusion methods, which can perform network threat information fusion in a mode of finer granularity.
The technical scheme adopted by the invention is as follows:
a method for fusing network threat intelligence metadata comprises the following steps:
acquiring unstructured network threat intelligence data and converting the unstructured network threat intelligence data into structured network threat intelligence data;
mapping the structured network threat intelligence data into network threat intelligence metadata;
splitting the network threat information metadata;
fusing the split network threat information metadata;
and performing customized configuration on the fused network threat intelligence metadata.
Further, the acquiring unstructured cyber-threat intelligence data and converting the unstructured cyber-threat intelligence data into structured cyber-threat intelligence data comprises: the method comprises the steps of collecting open source information, purchase payment information and self-production information from various information sources, representing the information data by using an existing specification, and converting the collected unstructured network threat information data into normalized structured data.
Further, mapping the structured cyber-threat intelligence data into cyber-threat intelligence metadata includes: fields related to metadata in fields of the structured network threat intelligence data are mapped into a multi-level attribute representation form, and other fields are mapped into a one-level attribute representation form.
Further, the splitting the cyber threat intelligence metadata includes: and fully splitting the network threat intelligence metadata by taking the field or attribute of the network threat intelligence metadata as a basic unit.
Further, the fusing the split network threat information metadata includes: and selecting different fusion algorithms to fuse the network threat intelligence metadata according to the characteristics of each type of network threat intelligence metadata.
Further, the fusion algorithm includes: majority voting algorithms, summation algorithms, mean algorithms, investment algorithms, joint investment algorithms, truth discovery algorithms, and semi-supervised truth discovery algorithms.
Further, the customizing and configuring the converged network threat intelligence metadata includes: and configuring output fields for the fused metadata according to the actual requirements of the user, and providing the output fields for the user in an external interface mode.
A network threat information metadata fusion system adopting the method comprises the following steps:
the unstructured network threat information data is converted into a structured network threat information data module which is used for acquiring unstructured network threat information data and converting the unstructured network threat information data into structured network threat information data;
the mapping module of the structured network threat intelligence data to the metadata is used for mapping the structured network threat intelligence data into the network threat intelligence metadata;
the network threat information metadata splitting module is used for splitting the network threat information metadata;
the network threat information metadata fusion module is used for fusing the split network threat information metadata;
and the customized configuration module is used for performing customized configuration on the fused network threat information metadata.
The invention has the following beneficial effects:
the invention can realize the fusion of the network threat report data in a finer-grained manner and can automatically configure the fused result. The configured result is provided for the user in the form of an external interface, so that the user experience effect is better.
Drawings
FIG. 1 is a schematic block diagram of a system according to the present invention;
FIG. 2 is a diagram illustrating the manner in which structured cyber-threat intelligence is mapped into cyber-threat intelligence metadata (e.g., IP reputation information) according to the present invention;
FIG. 3 is a diagram illustrating a splitting manner of network threat intelligence metadata (taking IP metadata as an example) according to the present invention;
FIG. 4 is a flowchart illustrating a threat intelligence metadata fusion algorithm major Vote (Majority Vote) implementation provided in the present invention;
FIG. 5 is a flowchart of the threat intelligence metadata fusion algorithm (iterative) execution provided by the present invention;
FIG. 6 is a flowchart of the execution of the threat intelligence metadata fusion algorithm (semi-supervised truth discovery algorithm) provided by the present invention;
FIG. 7 is a schematic diagram of the configuration of the output template of the system according to the present invention (taking IP metadata as an example);
FIG. 8 is a diagram illustrating a query pattern of external links generated by a user using the system according to the present invention.
Detailed Description
In order to make the technical scheme, features and advantages of the present invention clearer and more comprehensible, the present invention is further described with reference to the accompanying drawings.
The invention discloses a method for fusing network threat information metadata, which comprises the following steps:
(1) first, network threat intelligence data is obtained from various intelligence sources, and the network threat intelligence data comprises: open source intelligence, paid purchases and self-production intelligence. Since the intelligence data is unstructured, if automated processing is to be performed, the cyber threat intelligence data needs to be normalized, i.e., converted into structured cyber threat intelligence data. With reference to international standards, OpenIOC, IODEF (inclusion Object removal and Exchange Format), stix (structure thread Information express), and actual business requirements, a network Threat intelligence specification applicable to the present system is defined. For the purpose of fusion, these defined entity specifications need to be mapped to metadata types.
(2) Mapping the structured cyber-threat intelligence data represented by the specification defined in (1) into a form represented by the cyber-threat intelligence metadata;
(3) splitting each metadata, wherein when splitting, the fields or attributes of the metadata are taken as basic units, and the metadata are fully split;
(4) according to the characteristics of each type of network threat information metadata, different fusion algorithms are selected to fuse the network threat information metadata, and the fusion algorithms comprise: majority voting, Sums, average, Investment, pouldefinder and Semi-Supervised trut Discovery;
(5) and configuring output fields for the fused metadata according to the actual requirements of the user, and providing the output fields for the user in an external interface mode.
The invention provides a network threat information metadata fusion system, figure 1 is an integral frame diagram of the system, and the system mainly comprises five modules: the unstructured network threat intelligence data is converted into structured network threat intelligence data, mapping of the structured network threat intelligence data to metadata, splitting of the network threat intelligence metadata, fusion of the network threat intelligence metadata, and customized configuration of output results after fusion. The processing procedure of each module is explained in detail below.
The unstructured network threat intelligence data is converted into a structured network threat intelligence data module:
the method is characterized in that open source Information, purchase paid Information and self-produced Information are collected from various Information sources, the Information data are expressed by existing specifications, and the specifications are combined with actual business requirements on the basis of international standards approved by the industry, OpenIOC, IODEF (inclusion object removal and Exchange Format) and STIX (structure thread Information eXcompression), define the specification standards suitable for the system, and convert the collected unstructured network Threat Information data into normalized structured data.
The mapping module of the structured network threat intelligence data to the metadata comprises the following modules:
and mapping the obtained structured network threat intelligence data into a form of network threat intelligence metadata, wherein the specific mapping mode is described by IP reputation information. The IP credit information is a grey-black study result and associated information of the specified IP. The main fields include malicious types, detection time, associated domain names, associated samples, and the like. When mapping is performed, fields related to other metadata are mapped into a relational form, namely a multi-level attribute representation form, other fields are mapped into a one-level attribute representation form, fig. 2 is a mapping mode of IP reputation information, and mapping of other structured network threat information is the same as that of the IP reputation information.
Network threat information metadata split module:
and splitting each metadata, wherein when splitting, the fields or attributes of the metadata are used as basic units, and the fields or attributes are fully split. The splitting mode of the IP metadata is shown in fig. 3 (the ellipses on the right side of fig. 3 indicate that some other attribute information helpful for fusion can be added according to the fusion requirement after splitting), i.e. the IP metadata is split according to the mode of splitting ({ "attribute 1": value 1 "," attribute 2 ": value 2" } into { "attribute 1": value 1 "} and {" attribute 2 ": value 2"), and other metadata is the same as the splitting mode of the IP metadata.
The network threat information metadata fusion module comprises:
different fusion algorithms are selected for different types of metadata, in conjunction with the characteristics of each type of metadata. In the fusion module, 7 fusion algorithms are realized in the invention. The steps of the various fusion algorithms are described in detail below.
(1) Major voting (Majority voting algorithm)
First, initialize the trust score of each data source to wi(i 1, 2.. n); wherein n represents n data sources;
secondly, calculating a trust score of a value corresponding to the metadata attribute;
Wherein, TodvAnd s (od) represents the number of data sources containing the metadata o and the attribute d.
Thirdly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute;
and fourthly, judging whether the metadata attributes in all the data sources are fused and finished, if not, returning to the second step to continue calculating until all the metadata attributes in all the data sources are fused and finished.
The execution flow chart of the algorithm is shown in fig. 4.
(2) Sums (summation algorithm)
First, initializing the trust score of each attribute value as:
wherein, B0(v) Trust score, S, representing initialized attribute value vvRepresenting a data source with an attribute value v, | SvI represents the number of data sources with attribute value v, MvRepresenting mutually exclusive sets of attribute values v (e.g., a first data source describes the twilight birthday as 10.1.1998, a second data source describes it as 4.9.1996, the twilight birthday is only an answer, one of the descriptions is mutually exclusive from the rest of the descriptions, the mutually exclusive sets are mutually exclusive sets of elements), M is MvOne element of (1).
Secondly, calculating the trust score of each data source:
wherein, VsAll attribute values, T, representing data sources si(s) represents the trust score of the data source s after the ith iteration, Bi-1(v) A trust score representing the attribute value v after the i-1 th iteration.
Thirdly, calculating the trust score of each attribute value:
wherein S isvRepresenting all data sources with attribute value v, Bi(v) Watch (A)Trust score, T, showing attribute value v after ith iterationi(s) represents the trust score of the data source s after the ith iteration.
Step four, whether the iteration termination condition is reached or not is judged, if the iteration termination condition is not reached, the step two is returned, and the calculation is continued; if the iteration termination condition is reached, executing the fifth step;
and fifthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute. The execution flow chart of the algorithm is shown in fig. 5.
(3) Log (mean algorithm)
First, initializing the trust score of each attribute value as:
B0(v)=0.5
secondly, calculating the trust score of each data source:
thirdly, calculating the trust score of each attribute value:
step four, whether the iteration termination condition is reached or not is judged, if the iteration termination condition is not reached, the step two is returned, and the calculation is continued; if the iteration termination condition is reached, executing the fifth step;
and fifthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute.
The execution flow chart of the algorithm is shown in fig. 5.
(4) Investment (Investment algorithm)
First, initializing the trust score of each attribute value as:
secondly, calculating the trust score of each data source:
where r denotes a certain data source with an attribute value V, VrAll attribute values, T, representing data sources ri-1(r) represents the trust score of the data source r after the i-1 th iteration.
Third, the confidence score of each attribute value is calculated and weighted by a non-linear function ρ (x):
ρ(x)=x1.2
step four, whether the iteration termination condition is reached or not is judged, if the iteration termination condition is not reached, the step two is returned, and the calculation is continued; if the iteration termination condition is reached, executing the fifth step;
and fifthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute.
The execution flow chart of the algorithm is shown in fig. 5.
(5) PooledInvestine (Joint investment Algorithm)
First, initializing the trust score of each attribute value as:
secondly, calculating the trust score of each data source:
thirdly, calculating the trust score of each attribute value:
ρ(x)=x1.4
step four, whether the iteration termination condition is reached or not is judged, if the iteration termination condition is not reached, the step two is returned, and the calculation is continued; if the iteration termination condition is reached, executing the fifth step;
and fifthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute.
The execution flow chart of the algorithm is shown in fig. 5.
(6) TruthFinder (true value discovery algorithm)
First, initializing the trust score of each attribute value as:
secondly, calculating the trust score of each data source:
thirdly, calculating the trust score of each attribute value:
step four, whether the iteration termination condition is reached or not is judged, if the iteration termination condition is not reached, the step two is returned, and the calculation is continued; if the iteration termination condition is reached, executing the fifth step;
and fifthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute.
The execution flow chart of the algorithm is shown in fig. 5.
(7) Semi-Supervised Truth Discovery algorithm
Firstly, acquiring a plurality of group Truth Data (correct marking Data);
secondly, constructing a connection graph among metadata attribute values:
values of the same metadata and with the same attribute from different data sources are connected together with a connection weight of wi,j=sim(mi,mj),sim(mi,mj) Represents an attribute value miAnd an attribute value mjThe similarity of (c).
The attribute values of the same data source are concatenated together with a weight of wi,j=α*|s(mi)∩s(mi) L and α ∈ (0, 1) where s (m)i) Representing a provided attribute value miThe data source of (1).
Thirdly, initializing trust scores:
initialize Truth Data as a Truth Data metadata attribute value with a confidence score of c1,...,cl。
Initialize the trust score for other attribute values to 0.
Fourthly, calculating the trust score of the metadata attribute value:
ct=D-1Wc t-1wherein c istConfidence score representing metadata attribute value after t iterations), W is a weight matrix, W ═ Wij]And D is a diagonal matrix.
Dii=∑j|wijI, W and D are expensive to compute and store, and therefore need to be further decomposed.
(1) Calculation of the W matrix
W=Ws+Wd
If attr (m)i)=attr(mj),Wsij=sim(mi,mj)
If it is not
Wherein attr (m)i) Represents an attribute value miTo the corresponding attribute.
By analysis, W is knowndToo many non-zero terms require continued decomposition of WdThe matrix V is defined,
ct=D-1Wct-1=D-1(Wsct-1+αVVTct-1)
where α is a parameter, and α ∈ (0, 1).
(2) Calculation of the D matrix
D=Ds+Dd
[Ds]ii=∑j|[Ws]ij|,[Dd]ii=∑j|[Wd]ij|
|sk|=∑jVjk
Wherein α has the same meaning as above.
Fifthly, recovering the trust score of the marking metadata:
sixthly, performing attenuation on the unmarked data trust score:
wherein,
and the trust score representing the unmarked attribute value, mu is a parameter and can be set according to actual conditions.
Step seven, whether or not to satisfy
If the iteration termination condition is not reached, returning to the fourth step and continuing to calculate; if the iteration termination condition is reached, executing the eighth step;
and eighthly, selecting the attribute value with the maximum trust score as the most accurate value of the attribute for each attribute.
The execution flow chart of the algorithm is shown in fig. 6.
The selection of the 7 algorithms: and selecting a proper fusion method according to the metadata type characteristics. For metadata with large change of information with time, such as domain name metadata, the requirement on timeliness is high, and because the resolution information of the domain name changes rapidly, a fusion algorithm with good timeliness is selected for the metadata. For knowledge-based metadata such as organized assets and the like, the information is generally not changed quickly, so that the timeliness requirement on the fusion algorithm is not high, and the corresponding algorithm can be selected according to the actual experimental environment. And a customized configuration module for outputting the fused result:
the user can select different fields from different types of metadata templates to output according to actual requirements. After configuration, the system automatically generates an external link for long-term use by the user. Taking IP metadata as an example, a specific system output template configuration mode is shown in fig. 7. The output templates for other metadata are configured in a similar manner as the IP metadata. The external link query generated by the user using the system is shown in fig. 8.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device (computer, server, smartphone, etc.) comprising a memory storing a computer program configured to be executed by the processor, and a processor, the computer program comprising instructions for performing the steps of the inventive method.
Based on the same inventive concept, another embodiment of the present invention provides a computer-readable storage medium (e.g., ROM/RAM, magnetic disk, optical disk) storing a computer program, which when executed by a computer, performs the steps of the inventive method.
The particular embodiments of the present invention disclosed above are illustrative only and are not intended to be limiting, since various alternatives, modifications, and variations will be apparent to those skilled in the art without departing from the spirit and scope of the invention. The invention should not be limited to the disclosure of the embodiments in the present specification, but the scope of the invention is defined by the appended claims.
Claims (10)
1. A method for fusing network threat intelligence metadata is characterized by comprising the following steps:
acquiring unstructured network threat intelligence data and converting the unstructured network threat intelligence data into structured network threat intelligence data;
mapping the structured network threat intelligence data into network threat intelligence metadata;
splitting the network threat information metadata;
fusing the split network threat information metadata;
and performing customized configuration on the fused network threat intelligence metadata.
2. The method of claim 1, wherein obtaining unstructured cyber-threat intelligence data and converting it into structured cyber-threat intelligence data comprises: the method comprises the steps of collecting open source information, purchase payment information and self-production information from various information sources, representing the information data by using an existing specification, and converting the collected unstructured network threat information data into normalized structured data.
3. The method of claim 1, wherein mapping structured cyber-threat intelligence data to cyber-threat intelligence metadata comprises: fields related to metadata in fields of the structured network threat intelligence data are mapped into a multi-level attribute representation form, and other fields are mapped into a one-level attribute representation form.
4. The method of claim 1, wherein splitting cyber-threat intelligence metadata comprises:
and fully splitting the network threat intelligence metadata by taking the field or attribute of the network threat intelligence metadata as a basic unit.
5. The method of claim 1, wherein fusing the split cyber-threat intelligence metadata comprises: and selecting different fusion algorithms to fuse the network threat intelligence metadata according to the characteristics of each type of network threat intelligence metadata.
6. The method of claim 5, wherein the fusion algorithm comprises: majority voting algorithms, summation algorithms, mean algorithms, investment algorithms, joint investment algorithms, truth discovery algorithms, and semi-supervised truth discovery algorithms.
7. The method according to claim 1, wherein said custom configuring of the converged cyber-threat intelligence metadata comprises: and configuring output fields for the fused metadata according to the actual requirements of the user, and providing the output fields for the user in an external interface mode.
8. A cyber-threat intelligence metadata fusion system using the method of any one of claims 1 to 7, comprising:
the unstructured network threat information data is converted into a structured network threat information data module which is used for acquiring unstructured network threat information data and converting the unstructured network threat information data into structured network threat information data;
the mapping module of the structured network threat intelligence data to the metadata is used for mapping the structured network threat intelligence data into the network threat intelligence metadata;
the network threat information metadata splitting module is used for splitting the network threat information metadata;
the network threat information metadata fusion module is used for fusing the split network threat information metadata;
and the customized configuration module is used for performing customized configuration on the fused network threat information metadata.
9. An electronic apparatus, comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a computer, implements the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011562097.7A CN112667766A (en) | 2020-12-25 | 2020-12-25 | Method and system for fusing network threat information metadata |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011562097.7A CN112667766A (en) | 2020-12-25 | 2020-12-25 | Method and system for fusing network threat information metadata |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112667766A true CN112667766A (en) | 2021-04-16 |
Family
ID=75409056
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011562097.7A Pending CN112667766A (en) | 2020-12-25 | 2020-12-25 | Method and system for fusing network threat information metadata |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112667766A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113449121A (en) * | 2021-07-07 | 2021-09-28 | 北京华宇信息技术有限公司 | Information analysis method and device |
| CN114925757A (en) * | 2022-05-09 | 2022-08-19 | 中国电信股份有限公司 | Multi-source threat intelligence fusion method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150207809A1 (en) * | 2011-05-31 | 2015-07-23 | Tyson Macaulay | System and method for generating and refining cyber threat intelligence data |
| CN106060018A (en) * | 2016-05-19 | 2016-10-26 | 中国电子科技网络信息安全有限公司 | Network threat information sharing model |
| CN107370763A (en) * | 2017-09-04 | 2017-11-21 | ***通信集团广东有限公司 | Assets security method for early warning and device based on outside threat intelligence analysis |
| CN111552855A (en) * | 2020-04-30 | 2020-08-18 | 北京邮电大学 | Network threat information automatic extraction method based on deep learning |
-
2020
- 2020-12-25 CN CN202011562097.7A patent/CN112667766A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150207809A1 (en) * | 2011-05-31 | 2015-07-23 | Tyson Macaulay | System and method for generating and refining cyber threat intelligence data |
| CN106060018A (en) * | 2016-05-19 | 2016-10-26 | 中国电子科技网络信息安全有限公司 | Network threat information sharing model |
| CN107370763A (en) * | 2017-09-04 | 2017-11-21 | ***通信集团广东有限公司 | Assets security method for early warning and device based on outside threat intelligence analysis |
| CN111552855A (en) * | 2020-04-30 | 2020-08-18 | 北京邮电大学 | Network threat information automatic extraction method based on deep learning |
Non-Patent Citations (1)
| Title |
|---|
| 林鑫 等: "资源发现***中基于多源数据融合的文献元数据质量提升", 《情报理论与实践》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113449121A (en) * | 2021-07-07 | 2021-09-28 | 北京华宇信息技术有限公司 | Information analysis method and device |
| CN114925757A (en) * | 2022-05-09 | 2022-08-19 | 中国电信股份有限公司 | Multi-source threat intelligence fusion method, device, equipment and storage medium |
| CN114925757B (en) * | 2022-05-09 | 2023-10-03 | 中国电信股份有限公司 | Multisource threat information fusion method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113314B (en) | Network security domain knowledge graph construction method and device for dynamic threat analysis | |
| Charmet et al. | Explainable artificial intelligence for cybersecurity: a literature survey | |
| Khan et al. | Detecting malicious URLs using binary classification through ada boost algorithm. | |
| Doynikova et al. | Ontology of metrics for cyber security assessment | |
| US11212297B2 (en) | Access classification device, access classification method, and recording medium | |
| CN109831459B (en) | Method, device, storage medium and terminal equipment for secure access | |
| CN112667766A (en) | Method and system for fusing network threat information metadata | |
| Ariyadasa et al. | Combining long-term recurrent convolutional and graph convolutional networks to detect phishing sites using URL and HTML | |
| CN110321394A (en) | The network security data method for organizing and computer storage medium of knowledge based map | |
| CN114547415A (en) | Attack simulation method based on network threat information in industrial Internet of things | |
| CN115686868B (en) | Cross-node-oriented multi-mode retrieval method based on federated hash learning | |
| Naseer | The efficacy of Deep Learning and Artificial Intelligence Framework in Enhancing Cybersecurity, Challenges and Future Prospects | |
| Muslihi et al. | Detecting SQL injection on web application using deep learning techniques: a systematic literature review | |
| CN113225331A (en) | Method, system and device for detecting host intrusion safety based on graph neural network | |
| Zhu et al. | MOE/RF: a novel phishing detection model based on revised multiobjective evolution optimization algorithm and random forest | |
| Wang et al. | Network intrusion detection based on multi-domain data and ensemble-bidirectional LSTM | |
| Ahmed et al. | A framework for phishing attack identification using rough set and formal concept analysis | |
| JP2021060872A (en) | Generation method, generation program, and information processing apparatus | |
| CN115118462A (en) | Data privacy protection method based on convolution enhancement chain | |
| Parameswari et al. | Hybrid rat swarm hunter prey optimization trained deep learning for network intrusion detection using CNN features | |
| CN113468540A (en) | Security portrait processing method based on network security big data and network security system | |
| de la Torre-Abaitua et al. | A compression based framework for the detection of anomalies in heterogeneous data sources | |
| CN112231571A (en) | Information data processing method, device, equipment and storage medium | |
| Noah et al. | An Intelligent System for Detecting Fake Materials on the Internet | |
| Kryukov et al. | Security analysis of information systems based on attack sequences generation and testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210416 |